Please tell me if this code is vulnerable to SQL injection!

So I have some code used simply to check a DB for existing content and return an error if found. Here is the snippet in question:

$sql_w2 = "SELECT * FROM xf_user WHERE username='$username'";
$res_w2 = mysqli_query($db, $sql_w2); 	
$sql_e = "SELECT * FROM xf_user WHERE email='$email'";  	
$res_e = mysqli_query($db, $sql_e);

Is this vulnerable? Thanks!

NEVER EVER put variables in a query. Use Prepared Statements.

Do not SELECT *. Specify the columns you want by name

Do not use two query’s when you only need one.

If your “existing content” check is for an existing username and/or email, DONT. Set a unique constraint on the columns, attempt the insert and capture the duplicate error if any.

6 Likes

To emphasize benanmen’s point…

If I told your script my username was '; DELETE FROM xf_user WHERE 'i'='i
what would your query do?

3 Likes

Okay, point taken. I decided to simply stop using that code altogether as it was sloppy and superfluous. Thanks!